ScreenShot
| Created | 2025.01.06 18:39 | Machine | s1_win7_x6403 |
| Filename | win.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 62 detected (AIDetectMalware, Sdbot, Malicious, score, Ghanarava, MintZard Trojan, Unsafe, Mint, Zard, Save, confidence, Attribute, HighConfidence, moderate confidence, Gh0stRAT, agiy, duuovm, CLOUD, Taranis, Real Protect, high, Behav, Detected, AM@83hwfp, Eldorado, Dorv, R304564, BScope, Genetic, Gencirc, GenAsa, p3uhb3yO, Bulta, susgen) | ||
| md5 | be47562482b77cbab1d03e6290a75c8c | ||
| sha256 | 0664fe80b27add36b24a8865d6c40c458c1754968bfdb33c78c92e84aa8c2c06 | ||
| ssdeep | 1536:R625Dpcpnwwb6Xmg/lS/9UbzR4jDUsTlGnouy8:R64DCzUdMUbzR4n3Tl2out | ||
| imphash | 3ddb85e3158f28a83729dcc97be8a030 | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/EWhz69OwYGbQ6XWqP:VA/DzqYOZHYNYmQWfP | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 62 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Disables Windows Security features |
| watch | Attempts to modify UAC prompt behavior |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Installs itself for autorun at Windows startup |
| watch | Modifies security center warnings |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | The executable uses a known packer |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x424268 LoadLibraryA
0x42426c GetProcAddress
0x424270 VirtualProtect
0x424274 VirtualAlloc
0x424278 VirtualFree
0x42427c ExitProcess
ADVAPI32.dll
0x424284 FreeSid
DNSAPI.dll
0x42428c DnsFree
SHLWAPI.dll
0x424294 PathFindFileNameA
USER32.dll
0x42429c wsprintfA
WS2_32.dll
0x4242a4 __WSAFDIsSet
EAT(Export Address Table) is none
KERNEL32.DLL
0x424268 LoadLibraryA
0x42426c GetProcAddress
0x424270 VirtualProtect
0x424274 VirtualAlloc
0x424278 VirtualFree
0x42427c ExitProcess
ADVAPI32.dll
0x424284 FreeSid
DNSAPI.dll
0x42428c DnsFree
SHLWAPI.dll
0x424294 PathFindFileNameA
USER32.dll
0x42429c wsprintfA
WS2_32.dll
0x4242a4 __WSAFDIsSet
EAT(Export Address Table) is none